Attackers exploiting WSUS vulnerability drop Skuld infostealer (CVE-2025-59287)

Attackers have been spotted exploiting the recently patched WSUS vulnerability (CVE-2025-59287) to deploy infostealer malware on unpatched Windows servers.

An out-of-band update

Last week’s release of an emergency fix for CVE-2025-59287, a Windows Server Update Services (WSUS) remote code execution vulnerability, was almost immediately followed by reports of in-the-wild exploitation.

With a PoC exploit that’s been made public a few days before the fix and a patch that could be reverse-engineered, attackers had enough to create exploits of their own and start targeting unpatched internet-facing Windows Server machines with the WSUS Server role enabled.

Eye Security were among the first to report suspicious activity related to CVE-2025-59287 exploitation.

The detected attacks differed from the PoC exploit published by Hawktrace, they established, and concluded that the threat actor had capabilities beyond that of a script kiddie.

Huntress incident responders also reported successful attacks and observed attackers run commands for network reconnaissance, data collection and exfiltration, and staging for lateral movement and/or credential harvesting.

Attackers are exfiltrating data and installing an infostealer

“[CVE-2025-59287] is rooted in an ‘unsafe deserialization of untrusted data.’ Security researchers have identified multiple attack paths including sending a specially crafted request to the GetCookie() endpoint, which causes the server to improperly deserialize an AuthorizationCookie object using the insecure BinaryFormatter,” Palo Alto Networks researchers explained earlier this week.

“Another path targets the ReportingWebService to trigger unsafe deserialization via SoapFormatter. In both cases, a remote, unauthenticated attacker can trick the system into executing malicious code with the highest level of system privileges.”

Eye Security CTO Piet Kerkhofs told Help Net Security that only a few of their customers were hit by attackers and that though they expect ransomware groups to leverage this vulnerability, they have yet to see such a development.

Sophos has detected abuse of the WSUS flaw in multiple customer environments across a range of industries. The company’s threat researchers did not pinpoint the exploit used, but they’ve been able to take a peek at some of the data the attackers collected and exfiltrated to two webhook.site URLs.

“The raw content revealed dumps of domain user and interface information for multiple universities as well as technology, manufacturing, and healthcare organizations. Most of the victims are based in the United States,” they shared on Wednesday.

“Censys scan data confirmed that the public interfaces recorded in the webhook content correlated to Windows servers that have default WSUS ports 8530 and 8531 exposed to the public.”

The Darktrace Threat Research team has also analyzed multiple attacks its solutions detected.

“While the likely initial access method is consistent across the cases, the follow-up activities differed, demonstrating the variety in which such a CVE can be exploited to fulfil each attacker’s specific goals,” they disclosed.

In one of the attacks, they detected:

• Data exfiltration via webhook.site URLs
• Attackers downloading the legitimate DFIR tool Velociraptor, configured to establish a tunnel for command and control communication
• The subsequent downloading of a malicious payload: a UPX packed Windows binary that contains the open-source “Skuld Stealer”, which can harvest crypto wallets, files, system information, browser data and tokens.

Based on the attacks observed so far, attackers do not appear to be targeting specific organizations. Instead, they are opportunistically hitting every vulnerable Windows Server they can reach from the internet and send a specially crafted event to its WSUS server.

Advice for defenders

Based on newer information, the Cybersecurity and Infrastructure Security Agency has updated its initial alert with revised information on vulnerable product identification and potential threat activity detections.

Organizations using Windows Server and WSUS to distribute Microsoft updates across its computer fleet should identify servers vulnerable to exploitation, apply the out-of-band security update for CVE-2025-59287, and reboot them.

“In addition to checking for endpoint security platform events, CISA recommends that potentially affected organizations investigate signs of threat activity on their networks,” the agency added.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!